When Cyber Data Risk Managers was established in 2011 there were 25 or less insurance carriers at the time that offered cyber insurance. Fast forward to 2020 and there are now hundreds of insurers offering cyber insurance in some form, whether it is a standalone policy or an addon to an existing insurance policy. This has led to many choices and options to select from.
While having options is always deemed to be a good thing, too many options can cause cyber insurance coverage value to diminish as more insurers will be forced to have to add new exclusions or policy limitations in order to remain competitive. Do you know when you shop at the supermarket and you notice that the container that holds your favorite ice cream seems smaller but the price is the same? You either purchase and accept that you’re getting less for the same price, or you may revolt and decide not to purchase due to the downgrade in size.
With many cyber insurance offerings and like with ice cream, too many flavors to select from, buyers may not even realize there’s been a change until it’s too late to do anything about it (i.e. “buying a cyber insurance policy and thinking something is covered only to learn otherwise at the time of the claim”), or observant buyers may just decide to forego their purchase until a later time. We could probably all agree that if we put off buying ice cream to a later time, that would have no financial impact. However, halting the purchase of cyber insurance could have a pretty significant financial impact being that there are way too many emerging risks and threats that could happen.
Here’s our list of Cyber Insurance Top 11 Threat Trends for 2020:
1. Cloud Security Exploits
With more organizations and businesses now in the cloud, we will see more cloud security exploits due to insecure interfaces, misconfiguration of cloud services, rogue employees and credential hijacking. With many cloud security exploits on the horizon, organizations and businesses will wake up to the realization in 2020 that cloud security is a shared responsibility. Cyber insurance policy holders will want to check their policies to ensure there is coverage for data hosting or processing services that are outsourced to third-party service providers (i.e. “Cloud Service Providers”).
2. California Consumer Privacy Act (CCPA)
The CCPA goes into effect on January 1, 2020 and is expected to set the standard for data privacy in the United States. Once the proposed regulations are implemented on July 1, 2020, the California Attorney General will be able to initiate enforcement actions and consumers can initiate a private right of action against noncompliant businesses. Indeed, other states will undoubtedly follow California’s example. As it pertains to cyber insurance, CCPA will have a big impact on organizations and businesses being that they can be fined by the government for violating the CCPA and sued by individuals affected by a data breach. As we near the CCPA enforcement date, cyber insurers are slowly beginning to craft policy endorsements that may cover additional violations under the CCPA.
3. Targeted Ransomware will Escalate
Ransom attacks were at an all time high in 2019. In 2020, we expect no different. However, ransomware attacks will become more targeted to an organization or business as hackers will conduct more R&D to determine their best target. They will then hit their victims hard, leaving no choice but to pay the ransom demand. Cyber insurers were inundated with ransomware claims throughout 2019 and they will certainly be there to assist organizations with ransom demands in 2020. However, we expect that insurers will begin to rethink how they can continue providing this coverage being that it will begin to impact their ROI. Cyber insurers will need to consider being more prescriptive with data backup requirements for their policyholders.
4. Artificial Intelligence (AI) Powered/Automated Cyber Attacks
AI adaptive machine learning will get smarter, and provide hackers with more ammunition to create automated and high powered cyber attacks. While artificial intelligence continues to evolve, so will the persistence and innovation of hackers which will lead to more cyber insurance claims for policyholders.
5. 5G will begin the Next Frontier in Cyber Security Attacks
As the world is moving towards 5G mobile technology and 5G begins to roll out in 2020, this will lead to a faster and bigger network of IoT devices, leading to bigger DDoS attacks than we have ever seen before. This will create new opportunities for disruption which leads us to our next prediction. Cyber insurers must take notice of this emerging threat before it arrives.
6. Network Interruption/Longer Outages
Whether an outage is caused by a significant 5G network related cyber attack or an AI algorithm making a wrong decision, we expect to see longer network outages leading to an increase in network interruption insurance claims. Organizations and businesses will want to check their cyber insurance policies to see if it will provide coverage for an interruption or network outage for their networks or their cloud service provider. In addition, some cyber insurance policies now include coverage for network interruption or outages that are due to a non-cyber related incident. Going into 2020, all organizations and businesses will want to consider including this newer coverage endorsement in their cyber insurance policy or adding this coverage at their policy renewal.
7. IoT Security Exploits will Rise
Privacy and security of IoT connected devices will become a big issue in 2020. In 2019, we saw hacked cameras spy on homeowners and scare their families. Due to the 5G deployment, and its speed of light due to its bandwidth, we will have an overabundance of more interconnected things which will ultimately lead to many more security problems. In 2020, we expect that individuals will begin to wonder if they too, should have a cyber insurance policy.
8. Cyber-Physical Attacks
The ongoing threat of attacks targeting electrical grids, transportation systems, and water treatment facilities will escalate and continue to be a major threat going forward. In addition, cyber attacks that target IoT and smart medical devices can create havoc which can lead to physical damage, bodily injury or even death. Cyber insurance policy holders that are critical infrastructure providers, manufacturers or health care technology providers will want to make sure their policies have coverage for bodily injury or property damage.
9. Patching Problems will Compound
Software patching is a major problem being that unpatched vulnerabilities are a leading cause of system compromise. With Windows 7 support ending on January 14, 2020, this will lead to more unsupported and insecure legacy systems. We all remember the WannaCry ransomware attack which left many organizations exposed to the attack, due to not regularly updating operating systems and using outdated and unsupported operating systems like Windows XP (and soon to be Windows 7). Most cyber insurance policies contain exclusions for unsupported systems and insurers expect that you’re updating and patching your systems when updates become available.
10. Increase of SMB threats
SMBs are just as prone to cyber attacks as big corporations. You may recall that the Target breach was caused by a small HVAC company in which hackers used their network user credentials to access Target’s systems. Whether an SMB is under direct attack or being used as a way to gain access to a bigger target, SMBs will see a big increase of threats and all due to the nine threats listed above and many more. Fortunately, SMBs are actively planning to improve their security and have begun to purchase cyber insurance. Nonetheless, if your SMB does not yet have cyber insurance, now is the time to request your cyber insurance quotes.
11. Underpriced Cyber Insurance Premiums
While it is always a good thing to have many choices and options to select from, this may have hindered and will continue to hinder the growth of the cyber insurance industry due to the many, many cyber insurance policy offerings now available. Whether you agree or not, when compared to the actual cost of a data breach or ransom attack, cyber insurance premiums are way underpriced. With the plethora of cyber insurance policy offerings that are now available and will continue to be made available, in order to remain competitive and leverage the anticipated growth of the industry, carriers have underpriced and will continue to underprice their premiums. Though as a countermeasure, refer back to the ice cream example mentioned above and remain vigilant with your cyber insurance policy.
Nonetheless, you don’t need to be an Economist to know that if it only takes one big attack that can affect all cyber insurance policyholders at one time, the end result is that many carriers could be impacted at the same time and forcing some out of the market. This is why AM Best was wise to state in June 2019 that while Cyber insurers are profitable today, they must be wary of tomorrow’s risks. The list above certainly is an expensive one for cyber insurers, especially if not done right. While for now, the line remains profitable for insurers, due to all of the threats mentioned above, insurers are exposed to a great deal of uncertainly regardless of who they are and what they think they know.
Indeed, our eyes are wide open and paying close attention to the cyber insurance policy fine print. Indeed, it is the emerging risks of the cyber insurance industry that keep me up at night.